[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Changqing Li changqing.li at windriver.com
Wed Dec 4 08:21:14 UTC 2019 

On 12/4/19 4:16 PM, Richard Purdie wrote:
> On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote:
>> ping
> There was a reply from Paul Eggleton about the server side of this
> patch, were those issues addressed?
>
> Cheers,
>
> Richard

I should have missed the reply:-[, I will check it.

Thanks.


BRs

Sandy

>> On 11/12/19 4:32 PM, changqing.li at windriver.com wrote:
>>> From: Changqing Li <changqing.li at windriver.com>
>>>
>>> when we have below content in local.conf or auto.conf:
>>> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
>>> send-error-report will fail with "HTTP Error 500: OK"
>>>
>>> error-report-web do rudimentary check on all fields that are
>>> passed to the graphs page to avoid any XSS happening, if contains
>>> '<', the server will return error(Invalid characters in json).
>>> fixed by use escape of <> to replace it.
>>>
>>> NOTE: with this change, error-report-web need to add filter 'safe'
>>> for the string wanted to display to avoid further HTML escaping
>>> prior to output. Below is how the content displayed on webpage:
>>> with the filter 'safe':
>>> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
>>> without the filter 'safe':
>>> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem at gmail.com&gt;"
>>>
>>> Another patch for error-report-web will send to yocto mail list.
>>>
>>> [YOCTO #13252]
>>>
>>> Signed-off-by: Changqing Li <changqing.li at windriver.com>
>>> ---
>>>    meta/classes/report-error.bbclass | 1 +
>>>    1 file changed, 1 insertion(+)
>>>
>>> diff --git a/meta/classes/report-error.bbclass
>>> b/meta/classes/report-error.bbclass
>>> index 1a12db1..6046867 100644
>>> --- a/meta/classes/report-error.bbclass
>>> +++ b/meta/classes/report-error.bbclass
>>> @@ -36,6 +36,7 @@ def get_conf_data(e, filename):
>>>                        continue
>>>                    else:
>>>                        jsonstring=jsonstring + line
>>> +    jsonstring = jsonstring.replace("<", "&lt;").replace(">",
>>> "&gt;")
>>>        return jsonstring
>>>    
>>>    python errorreport_handler () {
>

More information about the Openembedded-core mailing list